Okta SAML JIT & matching against unique identifier

We have users signing into our system via SAML SSO. We would like to keep consistency between the other system and Okta but referencing a unique identifier on the IDP side that we store in Okta.

During SSO we would like to match that unique identifier against the one in our system. If it does not exist the user is created. The problem is that matching is only done against the username. If we set the IdP Username field to the unique identifier field, JIT fails as it tries to create the user using this unique identifier as username instead of using the username attribute from SAML. Currently the username attribute from SAML is set to an email address and mapped to the login field of the Okta profile.

Do you have any ideas for how we could resolve this?

Please open a support ticket through an email to support@okta.com with this issue. One of our SAML experts will be happy to assist you further.